Customer Guidance on Best Practices

Administrators - Protect Your Company!

OpenSymmetry recommends that various controls should be in place at Customer Organizations to maximize their success of working with any web application and associated services, be they provided by OpenSymmetry or any other company.

Internal Access Control

Primary Administrator

OpenSymmetry recommends that your company should identify an individual who shall serve as the primary administrative contact who is responsible for your company interactions with OpenSymmetry. This individual should have a firm understanding of your company security policies and they should be the main communication point between your company and OpenSymmetry system administrative personnel. OpenSymmetry may be notified about the identity of your primary administrator contact through a support ticket.

Personnel

Customer Organizations should implement sound and consistent internal controls regarding general IT system access and system usage appropriateness for all internal components belonging to the Customer Organization, especially those components that are associated with interactions with OpenSymmetry’s systems and services. In particular:

• Customer Organizations should practice rapid disablement of internal user accounts for any terminated users who were previously involved in any activities associated with OpenSymmetry's systems and services.
• Customer Organizations are responsible for notifying OpenSymmetry in a timely manner of any changes to personnel directly involved with OpenSymmetry's systems and services, including any back-office personnel who may have been in contact with OpenSymmetry regarding financial, technical or ancillary administrative functions related to any business relationship with OpenSymmetry.
• Customer Organizations should implement controls requiring appropriate internal approval procedures for critical transactions relating to OpenSymmetry's systems and services. It is the Customer Organization's responsibility to inform OpenSymmetry of any levels of internal approval authority that the Customer Organization wishes to govern their interactions with OpenSymmetry.

Data Protection & Information Security

Customer Organizations should implement Data Protection and Information Security policies and procedures which are pervasive throughout their organizations. These policies and procedures should cover all of the typical Data Protection and Information Security concepts and best practices to secure the operational business infrastructure of the Customer Organizations. In particular:

• Customer Organizations who send data to OpenSymmetry should ensure that such data is protected by appropriate methods to ensure confidentiality, privacy, integrity, availability and non-repudiation both at-rest and in-transit.
• Customer Organizations should report to OpenSymmetry in a timely manner any material changes to their overall internal control environment that may adversely affect services being performed by OpenSymmetry.
• Customer Organizations should report to OpenSymmetry in a timely manner any material changes to their overall internal technical environment that may adversely affect any interfaces that may have been established between Customer Organization's systems and OpenSymmetry's systems.

Secure Employee Systems

One of your goals should be to keep email fraud, malware and phishing attempts, from reaching your users. To help do this, secure all computers used by your employees by doing the following:

• Update all users to the latest supported browser version.
• Deploy email filtering technology on your mail server systems.
• Install and maintain virus and malware protection software on all user machines, and keep all applications and definitions up to date.

Governance

Customer Organizations are responsible for implementing internal governance policies regarding their business transactions with OpenSymmetry. In particular:

• Customer Organizations are responsible for developing a Business Continuity and Disaster Recovery Plan that will aid in the continuation of services provided by OpenSymmetry should the Customer Organization experience such an event that requires their Business Continuity and Disaster Recovery Plan to be put into action.
• Customer Organizations are responsible for adhering to the Terms and Conditions stated within their executed contracts with OpenSymmetry.

Threat Management

Users

Users of online services are potential targets for attempts to steal login credentials and other sensitive information. These threats include scam emails (phishing and malware), phone calls and various social engineering techniques, each with the aim of attempting to gather information which may be used to gain unauthorized access or privileged knowledge. We recommend that all users follow these guidelines to help keep their online sessions safe.

Usernames & Passwords

When creating your username and/or password for any online system, please be mindful of these best practices for access credentials:

• Don't use the same combination of username and password for all of your online accounts. Keep them different in some way.
• Never share your passwords with anyone. Never write them down or send them via email. OpenSymmetry personnel will never ask you for your password.
• Follow widely accepted criteria for selecting strong passwords. These will change with time, and many websites can give guidance on what is considered to be "strong" at any point in time.

Phishing and Malware

Phishing is an attack technique whereby criminals attempt to lure users into a false sense of security, for example by setting up a web site that mimics a legitimate site, or by pretending to send email from a "known entity" when they are actually being sent from somewhere else. By following the tips below, you can reduce the potential for becoming a victim:

• Pay attention to where an email came from. It is often the case that a phishing email will come from an address that appears to be genuine. Criminals aim to trick recipients by including the name of a legitimate company within the structure of email and web addresses.
• Pay attention to suspicious attachments. Any email that carries an attached file should be considered to be potentially dangerous, especially if it was not expected to be received or if it came from an unknown sender. Never open an attachment if you're not sure what it is. Always use a virus scanner.
• Pay attention to spurious calls to action. It is common for phishing emails to instill panic in the recipient. The email may claim that your account may have been compromised and the only way to verify it is to enter your login details. Alternatively, the email might state that your account will be closed if you do not act immediately. Ensure that you take the time to really think about whether an email is asking something reasonable of you. If you’re unsure, contact the company through other methods.

When in doubt, throw it out!

OpenSymmetry Policy

Legitimate businesses such as OpenSymmetry will never ask you for login credentials or any other sensitive information via email. If you receive such an email, do not respond or click any links in the email; instead please report the issue to your OpenSymmetry contact. If a phone caller identifies themselves as being an OpenSymmetry employee and you do not recognize them, ask for an email address and a phone number to call them back on; once you have this information please ask your OpenSymmetry contact to confirm if the caller is a genuine OpenSymmetry employee.